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(54) Improved security device and terminal and method for communication between them 



(57) The present invention is related to a device ar- 
ranged for authorising the use of a selected function 
among at least two functions provided on the device. 



The devipe comprises storing means (1) for a function- 
specific voice pattern linked to the selected function and 
comparing means (2) arranged for comparing an exter- 
nal input signal with the function-specific voice pattern. 
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Description 

Field of the invention 

[0001] The present invention is related to an improved 
security device and method forcommunication between 
such device and a terminal. 

State of the art 

[0002] Smart cards are used to improve security of 
functions like payments, access control, signatures and 
decryption. The smart cards ensure these functions can 
only be performed in the presence of a smart card be- 
cause the smart cards contain one or more secrets (typ- 
ically cryptographic keys) that are needed to success- 
fully execute the functions. 

[0003] To avoid the use of the smart cards by an ille- 
gitimate user, a passphrase that controls access to the 
smart card is used. Thefunctions of thecard are blocked 
as long as the passphrase is not validated by the smart 
card. The most commonly used passphrase for smart 
cards is a PIN. That PIN should be known by the card- 
holder on ly and is used by the card to verify the presence 
of the legitimate cardholder. Thesmart card has a mech- 
anism to avoid an illegitimate userto guess the PIN. For 
example, after three successive bad PINs have been 
sent to thesmart card, thesmart card refuses to operate. 
[0004] To avoid misuse of said secrets by a terminal 
in the absence of the card, these secrets are kept in the 
card and are never given to the terminal. The PIN only 
authorises the terminal to use card functions that use 
these secrets. 

[0005] When entering the PIN on the keyboard of a 
terminal (this can be for example a PC, an EFT POS 
terminal or a bank terminal), it is read by the program 
running on the terminal and is sent to the smart card. 
The smart card can verify if the PIN is correct. If the PIN 
is accepted by the smart card, the terminal can use any 
smart card function (see Fig.1). As long as the PIN is 
not verified, asking the smart card for a function will fail. 
[0006] Current smart cards can contain more than 
one function. It is the task of the terminal to make clear 
to the cardholder which function of the smart card will 
be used. It is also possible that the terminal asks the 
cardholder to select the function he wants to use. Ex- 
ample: a multi-function smart card can implement se- 
cure functions for access control and payments. When 
a cardholder wants access to a website with a smart 
card based access control function, he enters his smart 
card in a PC and enters his PIN. When the same user 
wants to make a payment, he uses the same smart card 
and PIN to authorise the payment. 
[0007] The terminal may fool the cardholder by doing 
something different than expected. When the cardhold- 
er enters his PIN in the assumption that the terminal will 
use a specific function of the smart card, the terminal 
might very well be using another function of the smart 



card and executing an operation the user did not ask for. 
The cardholder may for example use his smart card and 
his PIN on a PC in an Internet cafe to gain access to his 
e-mail. The PC uses the smart card and the PIN to do 
5 a payment that the cardholder did not expect. This pay- 
ment can even be done without informing the cardhold- 
er. 

[0008] The risk for such a problem is important be- 
cause the terminal does not belong to the cardholder 

10 and may be modified by whoever has access to the ter- 
minal and wants to commit fraud. A smart card however 
is easier to trust because it belongs to the cardholder 
and is designed to be difficult to modify. 
[0009] A possible solution for the problem can be that 

15 each function on the smart cards has a different PIN. 
The user decides which function of the smart card he 
wants to use, and enters the PIN for this specific func- 
tion. If the terminal uses the PIN with the wrong function 
of the smart card, the smart card will refuse it (because 

20 this function requires an different PIN). In this way a PIN 
is reserved to a function, and a terminal cannot use a 
function the user did not authorise. For example, the 
cardholder wants to access his e-mail using a PC. He 
enters PIN 1234 because this is the PIN linked to the e- 

25 mail access authorisation. The PC tries to perform a 
payment with the same PIN and card without approval 
of the cardholder, but the smart card refuses the trans- 
action because PIN for a payment is different. Instead 
of reserving a different PIN for each function, a number 

30 of functions can also share the same PIN. 

[0010] A major limitation of the above-mentioned so- 
lutions is that the cardholder has to remember many dif- 
ferent PINs. In practice, the user will be tempted to use 
the same PIN instead of different values for many func- 

35 tions. An other limitation is that it increases the possibil- 
ities to guess a PIN : if a card has two different functions, 
each with a different PIN and three attempts on each 
PIN, the total number of PIN attempts to guess the PIN 
of a card becomes six instead of three. 

40 [0011] Document EP-A-0 886 246 tackles more or 
less the same problem. It preferably makes use of a tel- 
ephone line to transmit the voice signal. As opposed to 
the solution of the present invention it employs an ex- 
ternal calculator to derive voice characteristics and 

45 check with the stored voiceprint. Similarly, in the ap- 
proach of Feustel et al. (US-4827518) the comparison 
of spoken word and recorded pattern is performed on 
the terminal. Also in GB 21 39389A the card reader and 
the comparator are united. In ES 21114493 and DE 

50 1 971 0664 the comparison takes place outside the smart 
card. In US patent US 4851654 the pronounced voice 
signal is processed on the smart card and subsequently 
output. 

[0012] GB 2386803A discloses a system consisting 
55 of a token and a token reader. The comparison of stored 
pattern and pronounced sample can be performed by 
the token reader, but may alternatively also be per- 
formed within the token. It is mainly directed to the se- 
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curity of a digital signature. 

[0013] In patent application WO 03/021539 A1 a port- 
able device is disclosed that is arranged for comparing 
the detected signal characteristics with voice character- 
istics that are stored in a memory of the portable device. 
This portable device does not have the feature of multi- 
functionality. The device allows the selection of a func- 
tion, as the memory may include preloaded voice se- 
quences belonging to one or more legitimate users 
where each preloaded voice sequence corresponds to 
a command that is recognised by the processor. When 
the voice recognition code detects a match between a 
command spoken by a user and a sequence preloaded 
into the memory, the processor may execute a pre-de- 
fined sequence or task corresponding to the command. 
This feature of selecting a function in a device using pat- 
tern recognition is however not used in present inven- 
tion. 

Aims of the invention 

[0014] The present invention aims to provide an im- 
proved security device for selective authorisation of 
functions which will avoid the use by an illegitimate user. 
In a second object it aims to provide a terminal unit for 
communicating with such a device. In a further object 
the invention relates to a method for communication be- 
tween such a device and such a terminal. 

Summary of the invention 

[0015] The present invention relates to a device ar- 
ranged for authorising the use of a selected function 
among at least two functions provided on the device. 
The device comprises storing means for a function-spe- 
cific voice pattern linked to the selected function and 
comparing means arranged for comparing an external 
input signal with the function-specific voice pattern. 
[0016] In a preferred embodimentthe function-specif- 
ic, voice pattern corresponds to an identifier being a 
word, a combination of words or a phrase to be pro- 
nounced by a legitimate user of the device. Optionally 
the device comprises identifier storing means. 
[0017] Preferably the device further comprises PIN 
code storing means for accessing a selected function 
provided on the device. 

[0018] Advantageously the device further comprises 

additional passphrases storing means for accessing a 

selected function provided on the device. 

[0019] In atypical embodimentthe device is a smart 

card. 

[0020] In a second object the invention relates to a 
terminal unit for communication with a device as de- 
scribed above, comprising receiving means arranged 
for receiving the device, selection means for selecting 
a function, voice message recording means, processing 
means for the recorded voice message and communi- 
cation means for sending the processed message to the 



device. 

[0021] Preferably the terminal unit further comprises 
function reading means for reading the at least two func- 
tions provided on the device. Optionally the selection 
5 means are for selecting a function among at least two 
functions. 

[0022] In an advantageous embodiment the terminal 
unit further comprises identifierstoring means, the iden- 
tifier being a word, a combination of words or a phrase 
10 to be pronounced by a legitimate user. 

[0023] The invention also relates to a communication 
system comprising a device as described above and a 
terminal unit as mentioned. 

[0024] In another object the invention relates to a 
'5 method for giving a user authorisation to use a selected 
function provided on a device as described above, the 
device being in communication with a terminal unit as 
described, comprising the steps of : 

20 . receiving the device in a terminal unit, 

letting the user pronounce an identifier correspond- 
ing to the selected function (this may be on request 
of the terminal unit), 
processing the pronounced identifier, 

25 - sending the processed identifier to said device, 

verifying on the device whetherthe processed iden- 
tifier corresponds to the voice pattern specific for 
the selected function, 

granting authorisation to use the selected function 
30 in case of a positive verification, or denying access 
to the selected function in case of a negative verifi- 
cation. 

[0025] In an alternative embodiment the method for 
35 giving authorisation further comprises the step of check- 
ing a PIN code to gain access to the selected function. 
[0026] In a preferred embodiment the selected func- 
tion is determined by said user (possibly on request of 
said terminal unit), after receiving said device. Alterna- 
te tively the step of selecting is performed before the step 
of receiving the device. 

[0027] In yet another embodiment the method for giv- 
ing authorisation further comprises the step of checking 
additional passphrases to gain access to the selected 
45 function. 

[0028] In a specific embodiment, the terminal unit may 
display the identifier corresponding to the function to be 
used. The terminal unit may obtain the identifier corre- 
sponding to the function to be used from the device. 
so [0029] In a further object the invention relates to a 
method for obtaining authorisation to use a function pro- 
vided on a device as described above, the device being 
in communication with a terminal unit as described, 
comprising the steps of : 

55 

entering the device into a terminal unit, 
selecting a function to be authorised, 
pronouncing (possibly on request of the terminal 
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unit) an identifier corresponding to the selected 
function, 

after recognition of the voice pattern of the pro- 
nounced identifier by the device, obtaining authori- 
sation to use the selected function. 

[0030] Alternatively the method for obtaining authori- 
sation further comprises the step of using a PIN code to 
gain access to the selected function. 
[0031] In another embodiment the method for obtain- 
ing authorisation further comprises the step of using ad- 
ditional passphrases to gain access to the selected 
function. 

Short description of the drawings 

[0032] Fig. 1 represents a prior art solution. 

[0033] Fig. 2 represents a solution according to the 

invention. 

Detailed description of the invention 

[0034] The invention proposes to use biometrics, and 
more in specific voice recognition, instead of (or in ad- 
dition to) using a PIN to give access to a function on the 
smart card. Biometric voice recognition does not use the 
actual value of a spoken word, but the way it is pro- 
nounced by a specific person. This way the passphrase 
(being a pronounceable word) does not have to be se- 
cret. Someone else who can see or hear it is not capable 
of pronouncing it exactly the way the legitimate user pro- 
nounces it. Because the word itself is not secret, the pro- 
tection lies in how the legitimate user pronounces it. 
[0035] In the solution according to the invention as 
represented in Fig.2 each function of the smart card has 
a different voice pattern linked to it. For both the card- 
holder and the card this pattern represents a specific 
function. The cardholder is asked (explicitly or implicitly) 
to pronounce a word to gain access to a function. The 
smart card only allows the function after recognition of 
a voice pattern linked to the function. Example: when 
sending the spoken word 'signature' to a 'digital signa- 
ture' function of a smart card, this gives access to this 
function, and cannot be used to obtain access to another 
function of the smart card. 

[0036] The device handles secrets, typically crypto- 
graphic keys and is protected against disclosure of 
these secrets. The physical and logical protection mech- 
anisms used for the secret protection can also be used 
to protect the function specific voice patterns in the de- 
vice against modification. 

[0037] The function specific voice pattern stored in the 
device must not be modifiable by an illegitimate person. 
The device therefore implements access control to the 
voice pattern storing means. A logical access control im- 
plementation may use onetime programmable memory, 
so that the information cannot be modified after it has 
been written thefirsttime. Another logical access control 



implementation may use authorisation control to write 
data in the device. The authorisation may be based on 
PINs, passwords, voice recognition and cryptography in 
any combination. A way to implement the physical ac- 
5 cess control is the use of chips for smart cards or USB 
security dongles. 

[0038] The function specific voice patterns can be put 
in the device using numerous ways. It can be done dur- 
ing a registration process in a trusted environment 

10 where the legitimate user pronounces the required iden- 
tifiers. A trusted terminal device processes the pro- 
nounced identifiers and communicates the result to- 
gether with the required access control information to 
the device where the results can again be processed 

is before being stored. 

[0039] The invention does not use a biometric sensor 
(microphone) in the device itself to prevent fraud be- 
cause this is difficult and expensive to manufacture and 
because it does not prevent the fraudulent use of re- 

20 corded voice on stolen devices. 

[0040] This approach has several advantages. The 
word that the cardholder is asked to pronounce can 
match the function that he wants to authorise. This is 
easy to explain to the cardholder and easy to remember 

25 for the cardholder. Further, the terminal cannot perform 
functions otherthan those authorised by the cardholder. 
Another practical advantage of having several functions 
on the same card is, from the user's point of view, that 
one does not need separate cards for various functions 

30 like electronic wallet, building access, digital signature 
etc... 

[0041] Using this principle, instead of having to re- 
member a PIN per function, the user has to remember 
an easy-to-remember word (e.g. the name of the func- 

35 tion). The word corresponding to the function may be 
stored in the terminal. This makes it possible to show 
the word the user has to pronounce on the screen of the 
terminal. Another extension is to store the words to be 
pronounced in the smart card. This makes the terminals 

40 more independent. After a cardholder has selected a 
terminal function and inserted his smart card (in any or- 
der), the terminal may ask the card to provide the word 
corresponding to the function to the card. Imagine an e- 
mail terminal in an international airport. All users may 

45 understand English, but have a different word linked to 
a card function. When the cardholder inserts his smart 
card, the terminal asks the "text" corresponding to the 
e-mail function to the smart card. The smart card re- 
sponds with "courriel" for a French customer and 

so "brievenbus" for a Dutch customer. The terminal re- 
quests the cardholder to pronounce that text. By choos- 
ing words that mean something, the user is better capa- 
ble of knowing exactly what will be done once he pro- 
nounces the passphrase (this means: which function he 

55 will open and what can be done with it). 

[0042] As another example, the cardholder uses a PC 
mouse to instruct the PC he wants to access his e-mail. 
The PC asks him to pronounce "e-mail". The cardholder 
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pronounces "e-mail". The PC transmits the processed 
voice recording and the e-mail function selection to the 
smart card. The smart card verifies that the "e-mail" re- 
cording corresponds to the "e-mail" pattern linked to its 
"e-mail" function. The card authorises the e-mail func- 
tion of the card. In this example the terminal cannot per- 
form a function different from e-mail if the cardholder did 
not pronounce the words corresponding to these func- 
tions. 

Also, recorded voice samples cannot be used for all 
functions of the card. In orderto prevent illegitimate use 
of voice recordings, users can refrain from pronouncing 
certain words in an environment they don't trust. E.g. 
they don't pronounce the word 'signature' outside the 
office in orderto prevent the use of the signature func- 
tion even if the card is used (and the voice recorded), 
then stolen outside the office. 
[0043] The word may be replaced with a combination 
of words or a phrase. When a user pronounces 'Purse 
load', the terminal converts the spoken word into digital 
format and sends it to the Purse Load function in asmart 
card. The Purse Load function verifies if this password 
is really 'Purse Load' pronounced by the legitimate user. 
If so, the Purse application can be used. If the verifica- 
tion fails, the Purse Load function remains closed. 
[0044] In addition to the voice patterns of each card 
function, a PIN can be used. Since PIN and voice rec- 
ognition serve different purposes, it can be explained to 
cardholders that they need both a PIN and a voice pat- 
tern to access functions. Since the PIN increases the 
authorisation confidence, the recognition requirements 
can be lowered, thus lowering false rejection. 
[0045] In another embodiment additional passphras- 
es are used for one function. Each passphrase imposes 
specific limits where the function allows to do so. An ex- 
ample of this is the signing money transfer function. The 
problem is again the same: the user does not see what 
happens inside the terminal. If he wants to 
transfer €1000, he can give his voice passphrase for 
the money transfer function, e.g. 'Money Transfer'. The 
terminal sends this spoken password to the smart card, 
and has access to the money transferfunction.butthere 
is no proof that because the terminal shows on the 
screen ' € 1 000', that this amount is actually sent to the 
smart card. A fraudulent terminal can ask the smart card 
for a money transfer of €100.000. The solution is to 
give the same smart card function more than one pass- 
phrase. In our example with the money transfer function 
this can be: 

• 'Money Transfer 1 

• 'Money Transfer maximum one thousand' 

• 'Money Transfer maximum one million' 

Depending on which passphrase is received, the func- 
tion only allows money below a specific amount (in our 
example, thefirst password allows only money transfers 
smaller than € 1 00 (the default), the second one small- 



er than € 1 000, the third smaller than one million). 



Claims 

5 

1 . Device arranged for authorising the use of a select- 
ed function among at least two functions provided 
on said device, said device comprising storing 
means (1) for a function-specific voice pattern 

10 linked to said selected function and comparing 
means (2) arranged for comparing an external input 
signal with said function-specific voice pattern. 

2. Device as in claim 1 , wherein said function-specific 
15 voice pattern corresponds to an identifier being a 

word, a combination of words or a phrase to be pro- 
nounced by a legitimate user of said device. 

3. Device as in claim 2, further comprising identifier 
20 storing means. 

4. Device as in any of the previous claims, further com- 
prising PIN code storing means for accessing a se- 
lected function provided on said device. 



25 



30 



5. Device as in any of the previous claims, furthercom- 
prising additional passphrases storing means for 
accessing a selected function provided on said de- 
vice. 

6. Device as in any of the previous claims, said device 
being a smart card. 



7. Terminal unit for communication with a device as in 
35 any of the previous claims, comprising receiving 

means (1 0) arranged for receiving said device, se- 
lection means for selecting a function, voice mes- 
sage recording means (30), processing means (40) 
for said recorded voice message and communica- 
40 tion means (50) for sending said processed mes- 
sage to said device. 

8. Terminal unit as in claim 7, wherein said selection 
means are for selecting a function among at least 

45 two functions. 

9. Terminal unit as in claim 7 or 8, further comprising 
function reading means for reading said at least two 
functions provided on said device. 



50 



55 



10. Terminal unit as in claim 7, 8 or 9, further comprising 
identifier storing means, said identifier being a 
word, a combination of words or a phrase to be pro- 
nounced by a legitimate user. 

11. Communication system comprising a device as in 
any of claims 1-6 and a terminal unit as in any of 
claims 7-10. 
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12. Method for giving a user authorisation to use a se- 
lected function provided on a device according to 
any of claims 1 to 6, said device being in communi- 
cation with a terminal unit as in any of claims 7 to 
1 0, comprising the steps of : 

receiving said device in said terminal unit, 
letting said user pronounce an identifier corre- 
sponding to said selected function, 
processing said pronounced identifier in said 
terminal unit, 

sending said processed identifier to said de- 
vice, 

verifying on said device whether said proc- 
essed identifier corresponds to the voice pat- 
tern specific for said selected function, 
granting authorisation to use said selected 
function in case of a positive verification, or de- 
nying access to said selected function in case 
of a negative verification. 

13. Method for giving authorisation as in claim 12, fur- 
ther comprising the step of checking a PIN code to 
gain access to said selected function. 

14. Method for giving a user authorisation to use a se- 
lected function as in claims 12 or 13, whereby said 
selected function is determined by said user, after 
receiving said device. 

15. Method for giving a user authorisation as in claim 
14, wherein the step of selecting is performed be- 
fore the step of receiving said device. 

16. Method for giving authorisation as in any of claims 
1 2 to 1 5, further comprising the step of checking ad- 
ditional passphrases to gain access to said selected 
function. 

17. Method for obtaining authorisation to use aselected 
function provided on a device according to claim 1 , 
said device being in communication with a terminal 
unit as in any of claims 7 to 1 0, comprising the steps 
of: 

entering said device into said terminal unit, 
pronouncing an identifiercorrespondingtosaid 
selected function, 

after recognition of the voice pattern of said pro- 
nounced identifier by said device, obtaining au- 
thorisation to use said selected function. 

18. Method forobtaining authorisation to use aselected 
function as in claim 1 7, wherein said selected func- 
tion to be authorised is determined on request of 
said terminal unit. 

19. Method forobtaining authorisation as in claim 17 or 



18, further comprising the step of using a PIN code 
to gain access to said selected function. 

20. Method for obtaining authorisation as in any of 
5 claims 1 7 to 1 9, further comprising the step of using 
additional passphrases to gain access to said se- 
lected function. 
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